On Apr 20, 2012, at 1:52 PM, [email protected] wrote: >> That is straight from the following line in rsyslog.conf, so if that is >> broken then it's an rsyslog bug: >> >> kern.info @[zenhost]:1154 > > what is your default template? if you could run a quick test and add > ;RSYSLOG_Traditional_Forward_Format to the line and see if you get the format > I am expecting.
# Use traditional timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat All of our logs are in this format, we don't use the modern/better format. > the fact that the contents is starting so much later in the omspoof version > is definantly a bug. I wonder what it thinks it's doing? could you write to a > file using the same template and see what shows up in the file? All file writing works exactly as expected. local7.* /tmp/rawtest.log;Untouched $ cat /tmp/rawtest.log <190>Apr 20 14:39:33 sj2-web08 jorhett: 123 This is another test message$ No linefeed, so that's the prompt at the end there. $ hexdump -c /tmp/rawtest.log 0000000 < 1 9 0 > A p r 2 0 1 4 : 3 0000010 9 : 3 3 s 2 2 - w w w 0 8 j 0000020 o r h e t t : 1 2 3 T h i s 0000030 i s a n o t h e r t e s t 0000040 m e s s a g e 0000048 So I suspect this is just a udpspoof thing. The very odd thing is that either syslogd deals with this, or it only affects spoofing to a non-standard port. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
